From a441573ead489ed6d65e75adff5e3c9c1259585a Mon Sep 17 00:00:00 2001 From: fdie <5943122+fdie@users.noreply.github.com> Date: Fri, 23 Feb 2024 10:59:42 +0100 Subject: [PATCH] Increase the iteration count for SCRAM-SHA-512 to 10000 --- CHANGELOG.md | 5 +++++ include/scram.hrl | 2 ++ src/xmpp_sasl_scram.erl | 7 +++++-- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9d73272..67b13ee 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,8 @@ +# Version xxx + +* Increase the iteration count for SCRAM-SHA-512 +[see spec](https://datatracker.ietf.org/doc/html/draft-melnikov-scram-sha-512#name-security-considerations-3) + # Version 1.8.0 * Updating fast_tls to version 1.1.17. diff --git a/include/scram.hrl b/include/scram.hrl index a5e3930..9eb1885 100644 --- a/include/scram.hrl +++ b/include/scram.hrl @@ -24,3 +24,5 @@ -type scram() :: #scram{}. -define(SCRAM_DEFAULT_ITERATION_COUNT, 4096). +% see https://datatracker.ietf.org/doc/html/draft-melnikov-scram-sha-512#name-security-considerations-3 +-define(SCRAM_SHA512_ITERATION_COUNT, 10000). diff --git a/src/xmpp_sasl_scram.erl b/src/xmpp_sasl_scram.erl index c5aee21..ef6ee0f 100644 --- a/src/xmpp_sasl_scram.erl +++ b/src/xmpp_sasl_scram.erl @@ -136,16 +136,19 @@ mech_step(#state{step = 2, algo = Algo, ssdp = Ssdp} = State, ClientIn) -> base64:decode(SEK), base64:decode(Slt), IC}; _ -> + Iterations = if Algo =:= sha512 -> ?SCRAM_SHA512_ITERATION_COUNT; + true -> ?SCRAM_DEFAULT_ITERATION_COUNT + end, TempSalt = p1_rand:bytes(?SALT_LENGTH), SaltedPassword = scram:salted_password(Algo, Pass, TempSalt, - ?SCRAM_DEFAULT_ITERATION_COUNT), + Iterations), {scram:stored_key(Algo, scram:client_key(Algo, SaltedPassword)), scram:server_key(Algo, SaltedPassword), TempSalt, - ?SCRAM_DEFAULT_ITERATION_COUNT} + Iterations} end, ClientFirstMessageBare = substr(ClientIn,